MSPs have a lot of ground to cover with their clients. In addition to providing protection, there’s also persuasion. Many MSPs find themselves needing to justify additional cybersecurity investments at a time when budgets are under scrutiny—and that can make selling new services especially challenging.
That’s particularly true when it comes to layered email security, a solution that’s often underestimated despite being one of the most critical components of a modern security stack.
To explore how MSPs can better make the case, SmarterMSP.com caught up with Stanislav Kazanov, Head of GRC, Cybersecurity & Sustainability at Innowise, about reframing the value of email security in a way that resonates with business decision‑makers.
Reframing email security as a financial risk conversation
“As someone who sits in the middle of two worlds—cybersecurity and business governance—I find that MSPs struggle to sell email security because customers view it as a technical problem rather than a financial fraud issue,” Kazanov said.
For cost‑conscious clients, he recommends shifting the conversation away from malware and exploits and toward tangible business functions—starting with accounts payable.
If you want a CFO to approve multi‑layered email security, Kazanov noted, stop talking about threats in abstract terms and start talking about money movement, fraudulent invoices, and wire transfers.
The key is presenting the ROI without sounding as though you’re selling a doomsday insurance policy. Just as important, MSPs need to help clients understand why email security plays a different—and often more critical—role than endpoint protection alone.
Why endpoint protection alone isn’t enough
“To depend completely on endpoint protection to prevent email attacks would be the same as opening the front door to let the burglar in and then trying to catch him on camera before he made it to your safe,” Kazanov said.
While endpoint detection and response (EDR) can stop malicious executables from running on a laptop, many of today’s most damaging attacks don’t rely on malware at all.
“Business Email Compromise attacks succeed because they look legitimate,” Kazanov explained. “They often involve a polite, well‑timed email from a spoofed vendor asking the finance department to change the routing number for an invoice.”
From an endpoint perspective, nothing looks wrong. Opening an email and submitting a wire transfer are valid user actions, which means the EDR agent has no reason to raise an alert. Email security, on the other hand, can analyze what the finance team actually received—and whether it aligns with normal communication patterns.
Stop selling fear. Start selling fraud prevention.
When pitching layered email security to CFOs and executive stakeholders, Kazanov suggested MSPs abandon scare tactics altogether.
“Talking about nation‑state hackers only leads to fatigue—both for you and for the client,” he said. “Instead, think about email security as a way to prevent fraud.”
That framing places email security squarely in the realm of risk management and financial protection rather than hypothetical cyber catastrophes.
The most undervalued line of defense
Martin Summerhayes, Head of Managed & Support Services at Northdoor, echoed that sentiment. In his experience, email security is consistently one of the most undervalued defenses in a client’s security stack—despite being one of the most consequential when it fails.
At Northdoor, budget conversations don’t start with threat statistics. They start with business impact.
“A single successful phishing attack that results in ransomware or a BEC event,” Summerhayes noted, “can cost tens or hundreds of thousands of dollars in downtime, recovery, regulatory exposure, and reputational damage—while a well‑structured layered email security solution typically costs a fraction of that, often less than a single day of incident response.”
Four ways MSPs can make the case—without sounding alarmist
For MSPs looking to position layered email security more effectively, Summerhayes outlined four practical approaches:
1. Use relevance, not volume.
Client‑adjacent or sector‑specific breach examples land far better than generic threat statistics.
2. Expose the cost of “good enough.”
Many clients assume Microsoft 365 or Google Workspace filtering is sufficient. MSPs should demonstrate—through testing—what native controls miss, particularly around impersonation, lookalike domains, and zero‑day payloads.
3. Make awareness continuous.
Security education should be an ongoing program, not a one‑time training session.
4. Tie email security to compliance.
For regulated industries, layered email security is increasingly expected under frameworks such as Cyber Essentials Plus, ISO 27001, and DORA. Framing it as a compliance enabler rather than a pure security cost can dramatically shift the conversation.
Position email security as the frontline
From a technical standpoint, Summerhayes noted that the most effective layered approach combines advanced anti‑phishing and impersonation protection, attachment and URL sandboxing, DMARC/DKIM/SPF enforcement, ongoing security awareness training, and continuity and archiving capabilities—features often overlooked until a client experiences an outage.
“The mistake many MSPs make is selling email security as a bolt‑on,” Summerhayes said. “The better approach is to position it as the frontline of your security practice—because statistically, it is.”
Photo: Ines Porada / Shutterstock
This post originally appeared on Smarter MSP.